summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/modes (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Reenable AES-NI in libcryptotb2024-09-061-5/+8
| | | | | | | | | | | | | | | | | | | The OPENSSL_cpu_caps() change after the last bump missed a crucial bit: there is more MD mess in the MI code than anticipated, with the result that AES is now used without AES-NI on amd64 and i386, hurting machines that previously greatly benefitted from it. Temporarily add an internal crypto_cpu_caps_ia32() API that returns the OPENSSL_ia32cap_P or 0 like OPENSSL_cpu_caps() previously did. This can be improved after the release. Regression reported and fix tested by Mark Patruck. No impact on public ABI or API. with/ok jsing PS: Next time my pkg_add feels very slow, I should perhaps not mechanically blame IEEE 802.11...
* Add a few missing endbr64 to libcryptotb2024-02-241-0/+2
| | | | | | | | gcm_{gmult,ghash}_4bit(), aesni_ccm64_decrypt_blocks(), aes_cbc_encrypt(), and aesni_xts_{en,de}crypt() were overlooked in previous passes. Found with a diff for ld.lld by kettenis ok kettenis
* Replace uses of endbr64 with _CET_ENDBR from cet.htb2024-02-241-4/+4
| | | | | | | | | cet.h is needed for other platforms to emit the relevant .gnu.properties sections that are necessary for them to enable IBT. It also avoids issues with older toolchains on macOS that explode on encountering endbr64. based on a diff by kettenis ok beck kettenis
* Avoid a four-byte overread in gcm_ghash_4bit_mmx() on i386tb2024-01-241-1/+1
| | | | | | | This is a variant of the same logic error fixed in ghash-x86_64.pl r1.6. The code path is only reachable on machines without FXSR or PCLMUL. ok jsing
* Avoid a four byte overread in gcm_ghash_4bit() on amd64.jsing2024-01-241-1/+1
| | | | | | | | | | | | | | The assembly code for gcm_ghash_4bit() reads one too many times from Xi, resulting in a four byte overread. Prevent this by not loading the next value in the final iteration of the loop. If another full iteration is required the next Xi value will be loaded at the top of the outer_loop. Many thanks to Douglas Gliner <Douglas.Gliner at sony dot com> for finding and reporting this issue, along with a detailed reproducer. Same diff from deraadt@ ok tb@
* Improve byte order handling in gcm128.jsing2023-08-101-329/+44
| | | | | | Replace a pile of byte order handling mess with htobe*() and be*toh(). ok tb@
* Hide symbols in modes.hbeck2023-07-087-7/+35
| | | | ok tb@
* Hit modes with the loving mallet of knfmtbeck2023-07-089-1164/+1342
| | | | ok tb@
* xts128 mode: avoid two -Wshadow warnings in the BIG_ENDIAN code path.tb2023-05-071-5/+5
| | | | Found by, compile tested & ok bluhm.
* Remove CTS modetb2023-04-252-296/+1
| | | | ok jsing
* Add endbr64 where needed by inspection. Passes regresson tests.deraadt2023-04-251-0/+4
| | | | ok jsing, and kind of tb an earlier version
* Cipher text stealing will go away. Mark it for removal.tb2023-04-161-1/+3
| | | | ok jsing
* Use explicit .text instead of .previous to please Windows/MinGW on amd64tb2023-02-231-1/+1
| | | | ok miod
* Use .section .rodata instead of a plain .rodatatb2023-02-091-1/+1
| | | | | | | | At least gcc 12 on Fedora is very unhappy about a plain .rodata and throws Error: unknown pseudo-op: `.rodata'. So add a .section in front of it to make it happy. ok deraadt miod
* Move all data blocks from .text to .rodata and cleanup up and homogeneize codemiod2023-02-021-16/+5
| | | | responsible from getting the proper address of those blocks.
* Move all data blocks from .text to .rodata and cleanup up and homogeneize codemiod2023-02-011-41/+25
| | | | | | responsible from getting the proper address of those blocks. ok tb@ jsing@
* Move constants out of text segment into rodata to prepare for xonly supportderaadt2023-01-141-2/+2
| | | | | on amd64. no pic handling is neccessary since amd64 has full reach. ok kettenis
* Move all data tables from .text section to .rodata, and update the code tomiod2023-01-131-7/+28
| | | | | | | fetch them correctly when building PIC. Also drop unused data, and remove --no-execute-only from linker flags. ok kettenis@
* Move all data tables from .text section to .rodata, and update the code tomiod2023-01-131-17/+16
| | | | | | | fetch them correctly when building PIC. Also drop unused data, and remove --no-execute-only from linker flags. ok jsing@ kettenis@
* spelling fixes; from paul tagliamontejmc2022-12-262-6/+6
| | | | | | | i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb
* Make internal header file names consistenttb2022-11-269-17/+17
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Use memmove instead of memcpy for overlapping memoryinoguchi2022-01-221-3/+3
| | | | | | CID 251047 251094 OK beck@ jsing@ millert@ tb@
* Switch to <endian.h> from <machine/endian.h> for better portability.bcook2021-11-092-4/+5
| | | | ok tb@
* Make sure that the tag buffer size is equal to the tag sizetb2019-05-081-2/+2
| | | | | | | | | in CRYPTO_ccm128_tag(). Otherwise the caller might end up using the part of the tag buffer that was left uninitialized. Issue found by Guido Vranken. ok inoguchi
* add c++ symbol annotationsbcook2018-07-241-1/+9
| | | | from Cameron Palmer
* Make the NEON codepaths conditional on __STRICT_ALIGNMENT not beingkettenis2018-01-242-3/+3
| | | | | | defined as they rely on unaligned access. ok joel@
* In the middle of CRYPTO_gcm128_finish() there is a complicated #ifdefderaadt2017-12-091-6/+8
| | | | | block which defines a variable late, after code. Place this chunk into a { subblock } to satisfy old compilers and old eyes.
* Checking sizeof size_t by SIZE_MAX instead of _LP64inoguchi2017-09-031-7/+7
| | | | ok bcook@
* Fix ifdef to if in gcm128.cinoguchi2017-08-301-2/+2
| | | | ok deraadt@ bcook@
* fix missing bracket on ARMbcook2017-08-141-15/+15
| | | | ok beck@
* move endian/word size checks from runtime to compile timebcook2017-08-133-292/+307
| | | | ok guenther@
* use freezero() instead of memset/explicit_bzero + free. Substantiallyderaadt2017-05-021-5/+2
| | | | | | | | | | reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
* Convert ARM assembly to unified syntax. Clang demands it, binutilspatrick2017-01-041-4/+5
| | | | | | supports it as long as it's marked as unified syntax. ok bcook@ kettenis@
* Explicitly export a list of symbols from libcrypto.jsing2016-12-211-1/+4
| | | | | | | | | | | | | | | | Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting the bn_* symbols. These are documented as only being intended for internal use, so why they were placed in a public header is beyond me... This hides 363 previously exported symbols, most of which exist in headers that are not installed and were never intended to be public. This also removes a few crusty old things that should have died long ago (like _ossl_old_des_read_pw). But don't worry... there are still 3451 symbols exported from the library. With input and testing from inoguchi@. ok beck@ inoguchi@
* Replace all uses of magic numbers when operating on OPENSSL_ia32_P[] bymiod2016-11-041-6/+13
| | | | | | | | | | | | | | | meaningful constants in a private header file, so that reviewers can actually get a chance to figure out what the code is attempting to do without knowing all cpuid bits. While there, turn it from an array of two 32-bit ints into a properly aligned 64-bit int. Use of OPENSSL_ia32_P is now restricted to the assembler parts. C code will now always use OPENSSL_cpu_caps() and check for the proper bits in the whole 64-bit word it returns. i386 tests and ok jsing@
* Remove I386_ONLY define. It was only used to prefer amiod2016-11-042-5/+4
| | | | | | | faster-on-genuine-80386-but-slower-on-80486-onwards innstruction sequence in the SHA512 code, and had not been enabled in years, if at all. ok tom@ bcook@
* Less S390.jsing2016-09-041-262/+0
| | | | ok deraadt@
* Less IA64.jsing2016-09-041-463/+0
| | | | ok deraadt@
* Correct spelling of OPENSSL_cleanse.jsing2015-09-101-2/+2
| | | | ok miod@
* unifdef -UCBC_HANDLES_TRUNCATED_IOmiod2015-07-191-19/+1
| | | | ok bcook@ doug@
* Remove assert() or OPENSSL_assert() of pointers being non-NULL. The policymiod2015-02-108-47/+8
| | | | | for libraries in OpenBSD is to deliberately let NULL pointers cause a SIGSEGV. ok doug@ jsing@
* Delete a lot of #if 0 code in libressl.doug2015-02-071-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | | There are a few instances where #if 1 is removed but the code remains. Based on the following OpenSSL commits. Some of the commits weren't strictly deletions so they are going to be split up into separate commits. 6f91b017bbb7140f816721141ac156d1b828a6b3 3d47c1d331fdc7574d2275cda1a630ccdb624b08 dfb56425b68314b2b57e17c82c1df42e7a015132 c8fa2356a00cbaada8963f739e5570298311a060 f16a64d11f55c01f56baa62ebf1dec7f8fe718cb 9ccc00ef6ea65567622e40c49aca43f2c6d79cdb 02a938c953b3e1ced71d9a832de1618f907eb96d 75d0ebef2aef7a2c77b27575b8da898e22f3ccd5 d6fbb194095312f4722c81c9362dbd0de66cb656 6f1a93ad111c7dfe36a09a976c4c009079b19ea1 1a5adcfb5edfe23908b350f8757df405b0f5f71f 8de24b792743d11e1d5a0dcd336a49368750c577 a2b18e657ea1a932d125154f4e13ab2258796d90 8e964419603d2478dfb391c66e7ccb2dcc9776b4 32dfde107636ac9bc62a5b3233fe2a54dbc27008 input + ok jsing@, miod@, tedu@
* Doh, rev 1.4 had left out one routine with both 32-bit and 64-bit code, wheremiod2014-09-271-0/+2
| | | | the 64-bit code has to be disabled under OpenBSD/hppa.
* Explicitly include <openssl/opensslconf.h> in every file that referencesjsing2014-07-101-2/+4
| | | | | | | | | an OPENSSL_NO_* define. This avoids relying on something else pulling it in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is never going to do anything, since OPENSSL_NO_XYZ will never defined, due to the fact that opensslconf.h has not been included. This also includes some miscellaneous sorting/tidying of headers.
* Remove leading underscore from _BYTE_ORDER and _{LITTLE,BIG}_ENDIAN, to bemiod2014-07-093-37/+37
| | | | | more friendly to systems where the underscore flavours may be defined as empty. Found the hard way be bcook@; joint brainstrom with bcook beck and guenther
* hand-KNF macro the do { } while loopsderaadt2014-06-271-13/+13
|
* tags as requested by miod and teduderaadt2014-06-1210-0/+10
|
* malloc() result does not need a cast.deraadt2014-06-071-1/+1
| | | | ok miod
* Move the cts128 and gcm128 tests to regress.jsing2014-05-312-459/+0
|
* Get __STRICT_ALIGNMENT from <machine/endian.h> and decide upon it, rathermiod2014-05-078-31/+25
| | | | | | | | | | | | | | than defining it for not (i386 and amd64 (and sometimes s390)) only. Compile-time tests remain compile-time tests, and runtime-test remain runtime-test instead of being converted to compile-time tests, per matthew@'s explicit demand (rationale: this makes sure the compiler checks your code even if you won't run it). No functional change except on s390 (which we don't run on) and vax (which we run on, but noone cares about) ok matthew@